Overview

The Saudi Arabian Monetary Authority (SAMA) has published new cybersecurity framework guidelines that significantly raise compliance standards for financial institutions operating in the Kingdom. The updated requirements mandate that all licensed entities achieve maturity level 3 across all 12 SAMA CSF domains by Q4 2025.

Key Requirements

  • 24/7 Security Operations Center (SOC) capability
  • Multi-factor authentication for all privileged accounts
  • Annual third-party penetration testing by certified providers
  • Board-level cybersecurity oversight and quarterly reporting
  • Supply chain risk assessments for all critical vendors

Timeline

Organizations have until December 31, 2025 to demonstrate full compliance. SAMA has indicated that non-compliant institutions may face regulatory action including fines and operational restrictions.

What This Means for Your Organization

Financial institutions should immediately conduct a gap assessment against the updated SAMA CSF requirements. Key priority areas include SOC establishment, privileged access management, and board cybersecurity governance.